Security for enterprise

On a BlackBerry device
that is activated with BlackBerry Enterprise Service
10 (BES10) or BlackBerry Enterprise Service 12 (BES12), advanced data
at rest protection is available, at the administrator's discretion. The device must be
activated with an activation type of "Work and personal - Regulated" or "Work space
only". For more information about activation types, see Enterprise activation types.

Advanced data at rest protection

Advanced data at rest protection helps to secure sensitive data by restricting access to
files in the device's work space when the work space is in a data lock state. When the
work space is data locked, only apps that are data lock aware are allowed to continue to
run in the work space. They are restricted to accessing only certain parts of the work
space file system.

In
addition to restricting when files can be accessed, advanced data at rest protection
provides enhanced file encryption. The master keys for encrypting work space files are
also encrypted. The files are encrypted using keys that are tied to information that is
not stored on the device, such as a user password or smart card.

To use advanced data at rest protection, an organization needs to have BES10 version 10.2
or later or BES12. Its BlackBerry 10 devices
must be running BlackBerry 10 OS version
10.3.1 or later.

For BES10, the organization must:

Set the "Advanced Data at Rest Protection" IT policy rule to Yes.

Decide whether data lock should be activated as soon as the work space locks or if
there should be a delay between the work space locking and data lock being
activated. Use the Advanced Data at Rest Protection Timeout" IT policy rule to set
the delay, if any.

Activate the device using an activation type of "Work space only" or "Work and
personal - Regulated". Advanced data at rest protection is not available on personal
devices or on devices that are activated with an activation type of "Work and
personal - Corporate".

For BES12, the organization must:

Select the "Force advanced data at rest protection" IT policy rule.

Decide whether data lock should be activated as soon as the work space locks or if
there should be a delay between the work space locking and data lock being
activated. Use the "Advanced data at rest protection timeout" IT policy rule to set
the delay, if any.

Activate the device using an activation type of "Work space only" or "Work and
personal - Regulated". Advanced data at rest protection is not available on personal
devices or on devices that are activated with an activation type of "Work and
personal - Corporate".

On devices with both a work space and a personal space, personal apps are not affected
by the work space entering into a data lock state. They continue to run and can access
the device's file system normally.

Every app in the work space has a home folder in the work space file system that is
accessible only to that app. An app that is data lock aware has two additional standard
folders that only that app can access: a startup folder and an operational folder.

There are two types of data lock:

Startup locked: When a device is first turned on and the user has not yet
authenticated to the work space, the work space is startup locked. An app that is
data lock aware can run, but the only folder in the work space file system that it
can access is the app's startup folder.

Data locked: If the administrator sets a timeout of 0, as soon as the work space on
a device locks, the work space is data locked, too. If the administrator sets a
longer timeout, the work space is data locked after the specified amount of time
(unless the user unlocks the work space before the timeout ends). An app that is
data lock aware can continue to run when the work space is data locked, but the only
folders in the work space file system that it can access are the app's startup and
operational folders.

When the work space is not in a data lock state, the work space file system can be
accessed normally.

Data lock state transitions

The following diagram shows how the work space can move between data lock states. It also
shows, in italics, the corresponding device locked statuses.

The device returns to the Off state when the user turns off the device, the battery
power gets too low, or the battery is removed.

User authentication means that the user’s identity is confirmed by a password or
smart card.

The data lock trigger can be any of the following:

The smart card is removed.

An app triggers data lock.

For a device activated on BES10, the administrator uses BlackBerry Management Studio to send the "Specify a new password and lock the device" command.

For a device activated on BES12, the
administrator uses the BES12
management console to send the "Specify the device password, lock the device
and set message" command.

For BES10, the timeout delay is specified by the "Advanced Data at Rest Protection
Timeout" IT policy rule. For BES12, the delay is specified by the "Advanced data at
rest protection timeout" IT policy rule. In both cases, the delay can be set to
0.

The device can be locked for the user (deviceLockedStatus =
passwordLocked) without the work space being
dataLocked.

This diagram applies only to the work space. In the personal space,
dataLockState is always notLocked.